Recently, my old Perl form mailer has been abused. A big mess. I've disabled it and am getting a PhpFormGen script, but it doesn't seem to be testing form fields against anything malicious. Where do I find info on securing form input for (1) emailing the form and (2) for inserting into a mySQL DB.
And (3), my hosting admin said that it's more secure not to use mail(), which phpFormGen is using. What is a better way to send email? I've heard it's to connect to SMTP, but I have no idea how is it done.
Any help is appreciated!
--------------------
Stan Berka
Portland, OR
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Information on php form security is free and available from many sites on the web. Do a search for "php form security" and have a look.
The phpFormGen makes use of most common security measures and should work well under most security attacks. However it is not guaranteed to be 100% secure from attack. You are responsible to test and verify your own web site forms if you feel they are vulnerable to attack.
Let me know if you have specific examples of vulnerability and I will do my best to help you make your forms secure under these circumstances.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I didn't in any way suggest it really is insecure. That was *a question*. I just don't know much about PHP. But, does phpFormGen actually validate the user input before mailing/inserting into mySQL? That, I have just learned from the Internet, the most basic way of securing a form mailer.
Again, it's in no way an accusation, because the phpFormGen is a great piece of work. It's a *question*.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No offense taken, especially since I am not the creator. Anyway, yes phpFormGen is secure under most circumstances. There is validation of every field. There are blank checks that you define that will invalidate the submission and terminate further processing. There are specific checks for common things like email addresses. For example this is the code to check for valid email addresses:
if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*" ."@"."([a-z0-9]+([\.-][a-z0-9]+)*)+"."\\.[a-z]{2,}"."$",$Email)){
$error.="<li>Invalid email address entered";
$errors=1;
}
You will see this eregi function used in many secure code examples found on the internet.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Recently, my old Perl form mailer has been abused. A big mess. I've disabled it and am getting a PhpFormGen script, but it doesn't seem to be testing form fields against anything malicious. Where do I find info on securing form input for (1) emailing the form and (2) for inserting into a mySQL DB.
And (3), my hosting admin said that it's more secure not to use mail(), which phpFormGen is using. What is a better way to send email? I've heard it's to connect to SMTP, but I have no idea how is it done.
Any help is appreciated!
--------------------
Stan Berka
Portland, OR
Information on php form security is free and available from many sites on the web. Do a search for "php form security" and have a look.
The phpFormGen makes use of most common security measures and should work well under most security attacks. However it is not guaranteed to be 100% secure from attack. You are responsible to test and verify your own web site forms if you feel they are vulnerable to attack.
Let me know if you have specific examples of vulnerability and I will do my best to help you make your forms secure under these circumstances.
I didn't in any way suggest it really is insecure. That was *a question*. I just don't know much about PHP. But, does phpFormGen actually validate the user input before mailing/inserting into mySQL? That, I have just learned from the Internet, the most basic way of securing a form mailer.
Again, it's in no way an accusation, because the phpFormGen is a great piece of work. It's a *question*.
No offense taken, especially since I am not the creator. Anyway, yes phpFormGen is secure under most circumstances. There is validation of every field. There are blank checks that you define that will invalidate the submission and terminate further processing. There are specific checks for common things like email addresses. For example this is the code to check for valid email addresses:
if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*" ."@"."([a-z0-9]+([\.-][a-z0-9]+)*)+"."\\.[a-z]{2,}"."$",$Email)){
$error.="<li>Invalid email address entered";
$errors=1;
}
You will see this eregi function used in many secure code examples found on the internet.